However, this relies on the fact that the two containers are running
on the same host. Since Docker 1.9, it’s possible to have a similar
feature out-of-the-box inside a multi-host Docker cluster, thanks to
the new overlay network driver. Unlike bridge networks, overlay
networks require a key-value store. We will use Consul. We
demonstrate the setup using Docker Machine to deploy Docker hosts
and Docker Swarm to manage them seamlessly.

The steps we will follow are:

Configure Docker and Docker Machine.

Spawn a new Docker VM with Docker Machine.

Run Consul, a key-value store, on this new Docker VM.

Create a 3-node Docker Swarm cluster.

Create an overlay network.

Spawn containers on the Docker Swarm cluster and check they can
use the overlay network.

Requirements

You will need to install a recent version of Docker Engine and Docker
Machine on your machine. You will also need an account on
Exoscale.

From your workstation, here is how to get started with Docker Engine
and Docker Machine:

Set up a key-value store

An overlay network requires a key-value store. The key-value store
holds information about the network state which includes discovery,
networks, endpoints, IP addresses, and more. We will use
Consul for this purpose.

Currently, we don’t have any Docker instance to host our key-value
store. Therefore, we will specifically, provision a new Docker
VM called tuto-manager for this purpose.

$ docker-machine create -d exoscale tuto-manager

Your new VM with a running Docker daemon should be ready in less than
2 minutes. You can see it in the web console:

Configure the security groups

While you now have a VM running Consul in a container, it is not
quite functional. At Exoscale, we put the security first and by
default, the VM has a restrictive firewall preventing any
incoming connection. Docker Machine did create a special security
group, docker-machine, authorizing the following incoming
connections:

TCP port 22 for SSH from any IP

TCP port 2376 for Docker from any IP (secured by TLS)

TCP port 3376 for Docker Swarm from any IP (secured by TLS)

ICMP type 8, code 0 from any IP (ping)

We need additional rules to ensure our overlay network will work as
expected. Notably, any host in the Docker cluster should be able to
access the key-value store. Moreover, packets used by the overlay
network also need to be authorized. Therefore, you need to modify the
docker-machine security group with the following additional rules:

TCP port 8500 for Consul from docker-machine security group

TCP port 7946 for overlay network from docker-machine security group

UDP port 7946 for overlay network from docker-machine security group

TCP port 4789 for overlay network from docker-machine security group

We keep our setup secure by only authorizing access to the key-value
store and to the overlay network by machines in the same security
group. Here is what you should get when you are done:

Create a Swarm cluster

We can now use docker-machine to provision the hosts for your
network. We will create 3 VM, each running a Docker Engine. They will
have to know how to contact the key-value store. The first one will
act as the Swarm master:

At creation time, you supply the Docker Engine daemon with the
--cluster-store option. This option tells the location of the
key-value store for the overlay network. The shell expansion
$(docker-machine ip tuto-manager) resolves to the IP address of the
Consul server you created earlier.

Your new host should be available in less than two minutes. You can
create two additional hosts and make them join the cluster:

The overlay network is now available for all members of the Swarm
cluster.

Run an application

We are now ready to start a container using the newly created
network. To demonstrate that the network work as expected, we will
ensure we put each container on different Docker VM. Let’s start a
MySQL container on the first node:

Note that we didn’t expose any ports. Therefore, the Nginx daemon
and the MySQL database are not accessible from the outside. They can
only be accessed from the overlay network. However, we can also expose
ports. Let’s destroy the web container a recreate a new one that
would also be accessible from outside:

Conclusion

Thanks to the new network overlay feature, it is now quite easy to
spread containers across a Docker Swarm cluster without worrying
about discovery (names are automatically exported through DNS in each
container) and network reachability.

Did you like this post? Then you’ll love our Cloud Platform. Try it now!